CertMate CertMate / Tools
7 live · more landing weekly

The certificate toolbox you can actually trust.

Decode, validate, inspect and monitor TLS certificates without ever uploading them. Everything runs in your browser. No accounts, no ads, no analytics.

Browse the toolbox Try the certificate decoder →

Our tools

100% client-side. Built with Web Crypto + @peculiar/x509.

Single-purpose tools, one URL each, no upsell. Open source — read the code.

Decode & inspect

Parse certificates, CSRs and keys in your browser — never uploaded.

certificate-decoder

CSR Decoder

Paste a PKCS#10 Certificate Signing Request and see CN, SAN, key parameters and challenge attributes.

Validate

Chains, hostnames, key/cert pairs — formal checks against RFC 5280 / 6125.

Chain Builder & Validator

Paste a bundle of PEM blocks. Reorder them into a valid leaf → root chain and spot what's missing.

Key ↔ Cert Matcher

Confirm a private key and certificate match. Both stay in your browser — Web Crypto only.

Hostname / SAN Validator

Test which hostnames a certificate covers under RFC 6125 — wildcards, IDN, CN fallback.

Monitor

Certificate transparency search, expiry inventory, alerting.

ct-search

soon

bulk-expiry

soon

ACME helpers

External account binding, DNS-01 challenge math, provider quick-refs.

acme-dns-01

Compliance EU

NIS2, DORA, eIDAS 2.0 — TLS posture mapped to the articles.

nis2-tls-readiness

Trusted external tools

Curated, opens in a new tab.

Some jobs need infrastructure we cannot replicate in a static site — live TLS handshakes, transparency log indexing, OCSP queries. These are the ones we trust.

Validate

HSTS Preload

external

Official Chromium HSTS preload submission and status check.

Probe & scan

Qualys SSL Labs

external

The reference TLS server grader. Slow but authoritative.

Hardenize

external

Fast multi-protocol scan: TLS, DNSSEC, HSTS, email security.

Mozilla HTTP Observatory

external

Open-source security headers + cookies + TLS analyzer by Mozilla.

open source

testssl.sh

external

The gold-standard self-hosted TLS scanner. CLI, no telemetry.

open source

Revocation Check

external

The only OCSP / CRL checker that still works well.

Monitor

crt.sh

external

Comodo / Sectigo certificate transparency search. UI from 1998, data is unmatched.

SSLMate Cert Spotter

external

CT monitor with reliable alerts. Open core.

open source

Compliance EU

internet.nl

external

EU benchmark for internet standards. Operated by the Dutch Internet Standards Platform.

open source

ENISA NIS2 Guidance

external

Official ENISA technical implementation guidance (June 2025).

Managing dozens of certificates?

Public TLS certificate lifetimes are on a published path down — the CA/Browser Forum ballot SC-081v3 caps maximum validity at 200 days from March 2026, 100 days from 2027, and 47 days by 2029. CertMate is the open-source manager built for that automation reality. SC-081v3 ↗

Get CertMate on GitHub →